Embed Size (px)
Citation preview
CHAPTER 4
Information Security
CHAPTER OUTLINE
4.1 Introduction to Information Security
4.2 Unintentional Threats to Information Security
4.3 Deliberate Threats to Information Security
4.4 What Organizations Are Doing to Protect
Information Resources
4.5 Information Security Controls
LEARNING OBJECTIVES
1. Identify the five factors that contribute to the increasing vulnerability of information resources, and provide a specific example of each one.
2. Compare and contrast human mistakes and social engineering, and provide a specific example of each one.
3. Discuss the ten types of deliberate attacks.
LEARNING OBJECTIVES (continued)
4. Define the three risk mitigation strategies, and provide an example of each one in the context of you owning a home.
5. Identify the three major types of controls that organizations can use to protect their information resources, and provide an example of each one.
Opening Case: Kim Dotcom
4.1 Introduction to Information Security
Key Information Security Terms
Information Security
Threat
Exposure
Vulnerability
Example of a threat (video)
Five Factors Increasing the Vulnerability of Information Resources
Today’s interconnected, interdependent, wirelessly-networked business environment
Smaller, faster, cheaper computers and storage devices
Decreasing skills necessary to be a hacker
Organized crime taking over cybercrime
Lack of management support
Networked Business Environment
Smaller, Faster Devices
Increasing Sophistication of Attacks
Low
High
1980 2011
Attack Sophistication
Knowledge Required by Intruder
WiGLE.net
New & Easier Attack Tools
Decreasing Skills Needed to be a hacker
New & Easier Tools make it very easy to attack the Network
Organized Crime Taking Over Cybercrime
Lack of Management Support
4.2 Unintentional Threats to Information Systems
Security Threats (Figure 4.1)
Most Dangerous Employees
Human resources and MIS
These employees hold ALL the information
Consultants, Janitors and Security Guards
Human Errors
Carelessness with laptops and portable computing devices
Opening questionable e-mails
Careless Internet surfing
Poor password selection and use
And more
Social Engineering
Two examples
Tailgating
Shoulder surfing
Anti-Tailgating Door
Shoulder Surfing
The “King” of Social Engineering
60 Minutes Interview with Kevin Mitnick
Kevin Mitnick served several years in a federal prison. Upon his release, he opened his own consulting firm, advising companies on how to deter people like him
See his company here
4.3 Deliberate Threats to Information Systems
Deliberate Threats
Espionage or trespass
Information extortion
Sabotage or vandalism
Theft of equipment or information For example, dumpster diving
Deliberate Threats (continued)
Identify theft
Identity theft video
Compromises to intellectual property
Medical identity theft video
Deliberate Threats (continued)
Software attacksVirus
Worm 1988: first widespread worm, created by Robert T. Morris, Jr.
(see the rapid spread of the Slammer worm)
Trojan horse
Logic Bomb
Software attacks (continued)Phishing attacks
Phishing slideshow Phishing quiz Phishing example Phishing example
Distributed denial-of-service attacks See botnet demonstration
Deliberate Threats (continued)
How to Detect a Phish E-mail
Is the email really from eBay, or PayPal, or a bank?
As Spammers get better, their emails look more genuine. How do you tell if it’s a scam and phishing for personal information? Here’s how ...
Is the email really from eBay, or PayPal, or a bank?
As an example, here is what the email said: Return-path: <[email protected]> From: "PayPal"<[email protected]> Subject: You have 1 new Security Message Alert !
Note that they even give
advice in the right column
about security
Example Continued – bottom of the email
How to see what is happening View Source In Outlook, right click on email, click ‘view source’ In GroupWise, open email and click on the Message Source tab In Mozilla Thunderbird, click on View, and Source. Below is the part of the text that makes the email look official – the images came
from the PayPal website.
View Source – The Real Link
In the body it said, “If you are traveling, “Travelling Confirmation Here”
Here is where you are really being sent href=3Dftp://futangiu:[email protected]/
index.htm
Notice that the link is not only not PayPal, it is an IP address, 2 giveaways of a fraudulent link.
Another Example – Amazon
View Source
Deliberate Threats (continued)
Alien SoftwareSpyware (see video)
Spamware
CookiesCookie demo
Keystroke Logger (Keylogger)
Plugs in between monitor and computer
Example of CAPTCHA
Deliberate Threats (continued)
Supervisory control and data acquisition (SCADA) attacks
Wireless sensor
What if a SCADA attack were successful?
Northeastern U.S. power outage in 2003
Results of the power outage in NYC
More results of power outage in NYC
Example of SCADA attack (and cyberwarfare)
The Stuxnet Worm (IT’s About Business 4.3)
Where Stuxnet struck
Stuxnet video
Cyberwarfare and Cyberterrorism
See video
4.4 What Organizations Are Doing to Protect Themselves
Risk!
There is always risk!
And then there is real risk!
Risk Management
Risk
Risk management
Risk analysis
Risk mitigation
Risk Mitigation Strategies
Risk Acceptance
Risk limitation
Risk transference
Risk Optimization
4.5 Information Security Controls
Information Security Controls
Physical controls
Access controls
Communications (network) controls
Where Defense Mechanisms (Controls) Are Located
Access Controls
AuthenticationSomething the user is (biometrics powerpoints)
Video on biometrics The latest biometric: gait recognition
Something the user has
Something the user does
Something the user knows passwords passphrases
Access Controls (continued)
Authorization
Privilege
Least privilege
Communications Controls
Firewalls
Anti-malware systems
Whitelisting and Blacklisting
Encryption
Communication or Network Controls (continued)
Virtual private networking
Secure Socket Layer (now transport layer security)
Employee monitoring systems
Basic Home Firewall (top) and Corporate Firewall (bottom)
Whitelisting and Blacklisting
Whitelisting Blacklisting
How Digital Certificates Work
Virtual Private Network and Tunneling
Transport Layer Security
Popular Employee Monitoring Systems
Employee Monitoring System
Business Continuity Planning, Backup, and Recovery
Hot Site
Warm Site
Cold Site
Information Systems Auditing
Types of Auditors and Audits
Internal
External
IS Auditing Procedure
Auditing around the computer
Auditing through the computer
Auditing with the computer
Chapter Closing Case
Chapter Closing Case
